ISP detecting ICS

mubs · Sep 6, 2006

My ISP forbids sharing. They use the NIC's MAC address hard-coded into their server which authenticates it on login. All internet access is possible only after login. Their TOS says one connection = one computer and any violation will result in cancellation of service.

My contact guy claims sharing caused problems for their server and they had to clamp down on it. I tried explaining what NAT was, etc. to no avail. I'm on a pre-paid 30-day 1-GB bandwidth plan, with the service automatically stopped when one of these limits is hit. So I don't feel that I'm cheating them. But in the end, it boiled down to "Company policy".

If I used two NICs in my desktop, one directly connected to the internet cable, and another to an ethernet switch to which my other machines were connected, and used XP's ICS, can the ISP *really tell* if I'm sharing? Isn't NAT supposed to be transparent to the outside world?

ddrueding · Sep 6, 2006

The best response I could provide is "probably not". NAT is just what you've implied you think it is; sharing which is transparent to the parent network. A broadband router should do the same (most support MAC cloning on the WAN port). Of course, if they did full packet inspection on all your traffic and discovered abnormal traffic patterns, they may suspect something, but WTF? Screw them for having stupid policies.

sechs · Sep 7, 2006

Depending on the exact wording, using a router could perfectly fulfill the "one connection, one computer" rule. It would just be a computer that routes the data to and from other computers.

Personally, I'd suggest getting a new ISP.

mubs · Sep 7, 2006

Thanks DD & Sechs.

Logically, I'd have to think the packet has some kind of identifying info for the router to send that packect to the specific IP address that requested it on the private network. So in theory, they should be able to tell if there is sharing or not. Since these guys also are the ISPs for a lot of Cyber-cafe type joints (where the same one-connection one-computer rule applies), I'd think threy have the mechanism in place to tell.

Sechs: No dice on any of your points.

theSwede · Sep 7, 2006

mubs said:
Logically, I'd have to think the packet has some kind of identifying info for the router to send that packect to the specific IP address that requested it on the private network.

The router uses the destination port of the packet to decide which internal IP address it should be routed to. There are no way the ISP can see that you have several computers on your private network other than analyzing traffic patterns (as ddrueding said).

mubs · Sep 7, 2006

Hmmmmm. If I had 4 PCs on an internal network, and only one of those had an Internet connection and the other 3 were sharing that connection with ICS, and each of the 4 was doing an http download, wouldn't the destination port used be identical in all of them? From a TCP point of view? Of course I could be missing something major here.

With respect to analyzing traffic flows, I could be a power user with multiple browser windows open (or multiple tabs) all doing different things. How would they be able to tell just by analyzing the flow? Again I'm probably missing something major here.

Mercutio · Sep 7, 2006

FWIW, Comcast and AT&T (SBC) both have provisions buried in their terms of service regarding home routers and NAT. Needless to say, everyone ignores them. Just don't mention your router when you have to call their support hotline. I'm pretty sure it's just boilerplate language to justify cutting someone off anyway.

There's a few things I can say here:
1. Everyone with any sense at all is using a Firewall these days. People at least stealth open ports, if they don't outright close them. This behavior is the same whether you have a firewall device or a software firewall.
2. The whole point of setting up NAT is that all traffic, from the perspective of the rest of the Internet, appears to originate from the single IP on the internet-facing side of the NAT. Your internal configuration does not "leak" onto the Internet in any way, shape or form.
3. There may be "fingerprints" specific to various home routing hardware that big ISPs and certainly hackers would know about. Given point #1, above, and the wide variety of possible firewalling software in the world, I don't think this is a serious issue.
4. Your home router is also (kinda-sorta) a Firewall. If they bitch about you having a router, tell them that's what you're using it for. They can't see inside your network (legally), anyway.

Buck · Sep 7, 2006

With point 4, Mercutio used the word "legally". Are we still talking the U.S.? In other countries, your rights can be severely limited in comparison to the U.S. when it comes to Internet use and connectivity.

Bozo · Sep 8, 2006

Would something like TOR help???

http://tor.eff.org/

Bozo :joker:

mubs · Sep 8, 2006

Thanks everyone for the time and effort. Merc made a lot of good points, but Buck hit it on the head.

Many rights aren't well defined in India (where I'm at). I have no choice of ISPs; it's this one, whose speed / reliability is the minimum acceptable, or dial-up where I pay by the minute for fixed wireless modem speeds. For instance, it took me 1 hr 30 mins to download a certain 145 MB ISO 8) last night; took seven attempts (connection kept breaking); and using the download manager got the job done, or I'd be starting over and over. Incidentally, does an MD5 of CE46A989B738600E24305C2BDFB4623E look right?

I think the answer to densely developed areas where it'll be difficult to dig up and lay fiber would be MANs. However, certain large telecom conlomerates have been digging in large cities laying fiber. No idea how much progress has been made.

My ISP has fibre-optic slung over telephone poles and trees from their main service point some kilometres away, into the elevator motor room of the 4-story 100-unit apartment complex where I live. The FO cable goes into some kind of cheap looking box from which an ethernet cable comes out, which is plugged into a 100 mbps switch. Another long ethernet cable from the switch is brought into the unit that wants internet access. So the service is provided in the form of an ethernet cable.

I asked about getting a second connection; would I get a second cable? No. I'll get a 10mbps hub which will be placed in my apartment, but the second PC would be authenticated by ther server and assigned its own IP address.

Re. sharing, if they suspect it, the ISP could ask to inspect my home setup; I could refuse; and service could be cancelled. I'm an oddball user out here; most (99.9999%) have a single PC or laptop, if they have a machine at all. Me, I have 5 including my laptop. Keeping those up-to-date and or playing around with Linux will be a challenge without direct connectivity.

I'll just play it by ear and see how it goes. We're renting this place till we have some money to buy our own place. That's where the real fun will begin because that situation would be permanent.

Bozo, AFAIK, TOR is for anonymous surfing. Won't help my situation.

LiamC · Sep 11, 2006

Bozo said:
Would something like TOR help???

http://tor.eff.org/

Bozo :joker:

Seems the authorities don't like it if you are trying to surf anonymously

http://www.theinquirer.net/default.aspx?article=34293

Mercutio · Sep 12, 2006

Well, in this case the Tor services were being raided for a very legitimate reason: Tor is popular with kiddy porn-sharers.
The Tor people don't want it any more than anyone else does, but, you know, build a secure private network and it's not just going to be used by anticensorship advocates in oppressed third world countries.

Buck · Sep 13, 2006

mubs said:
My ISP has fibre-optic slung over telephone poles and trees from their main service point some kilometres away, into the elevator motor room of the 4-story 100-unit apartment complex where I live. The FO cable goes into some kind of cheap looking box from which an ethernet cable comes out, which is plugged into a 100 mbps switch. Another long ethernet cable from the switch is brought into the unit that wants internet access. So the service is provided in the form of an ethernet cable.

Sounds very unprofessional. Too bad they won't pay you to setup the building correctly. I'm sure you could do a great job.

Tannin · Sep 14, 2006

I'd look at using an uncommon sort of firewall/router - i.e., one that they won't recognise right away. A Smoothwall is a good, cheap, and very effective way to do this. What a shame you can't simply give the bastards the flick and get another ISP.

Corvair · Sep 14, 2006

Mubs said:
My ISP has fibre-optic slung over telephone poles and trees from their main service point some kilometres away, into the elevator motor room of the 4-story 100-unit apartment complex where I live. The FO cable goes into some kind of cheap looking box from which an ethernet cable comes out, which is plugged into a 100 mbps switch. Another long ethernet cable from the switch is brought into the unit that wants internet access. So the service is provided in the form of an ethernet cable...

If I were there, I could tell you pretty quickly what they were up to.
I'm guessing that you are right in the thick of town. If you are, they could be bringing in Metropolitan Area Ethernet service into a building Ethernet router into which multiple Ethernet switches have their uplinks plugged into. Or, they could be bringing in OC-1 or OC-3 service, but that's a bit pricey.

ddrueding · Sep 14, 2006

...or cheap ADSL service to a linksys router to a media adapter to fiber to another media adapter to a hub in your building. Better profit margins that way.

ISP detecting ICS

mubs

Storage? I am Storage!

ddrueding

Fixture

sechs

Storage? I am Storage!

mubs

Storage? I am Storage!

theSwede

What is this storage?

mubs

Storage? I am Storage!

Mercutio

Fatwah on Western Digital

Buck

Storage? I am Storage!

Bozo

Storage? I am Storage!

mubs

Storage? I am Storage!

LiamC

Storage Is My Life

Mercutio

Fatwah on Western Digital

Buck

Storage? I am Storage!

Tannin

Storage? I am Storage!

Corvair

Learning Storage Performance

ddrueding

Fixture